What We Do
How We Do
Resources
Company
Partners
Get Started
Security advisories

Cisco IOS XE Software Web UI Privilege Escalation Vulnerability (CVE-2023-20198)

October 17, 2023 | 3 MINS READ

Speak With A Security Expert Now

TALK TO AN EXPERT

THE THREAT

On October 16th, 2023, Cisco issued an advisory about an actively exploited vulnerability in the web UI feature of Cisco IOS XE Software when exposed to untrusted networks or the internet.

Designated as CVE-2023-20198, with a maximum severity CVSS score of 10.0, this vulnerability permits remote attackers, without authentication, to establish an account on a compromised system with privilege level 15 access. The attacker can leverage this unauthorized account to seize control of the affected device. Additionally, it is probable that internet-exposed devices are compromised. Based on open-source analysis conducted by eSentire Threat Intelligence, implant strings were detected on just under 50% of exposed systems based on a review of 1000 exposed systems.

Cisco has clarified that there's no available workaround or patch for this flaw, as of October 17th, 2023, making the mitigation suggestion paramount to apply as soon as possible. Cisco strongly recommends that "customers disable the HTTP Server feature on all internet-facing systems. To disable the HTTP Server feature, use the ‘no ip http server’ or ‘no ip http secure-server' command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature."

They've also noted indications of the system potentially being compromised, highlighting the seriousness of active exploitation in the wild. Additionally, eSentire TRU has identified exploitation in the wild dating back to at least October 12. Given the gravity of this exploit and the absence of any immediate patches, organizations must assess their exposure and take protective measures.

What we’re doing about it

What you should do about it

Additional information

Cisco has identified an ongoing active exploitation of a previously undisclosed vulnerability in Cisco IOS XE software's Web User Interface (Web UI) feature (CVE-2023-20198). The vulnerability impacts physical and virtual devices running the Web UI software with the HTTP or HTTPS Server feature activated. The Web UI is bundled with the default image, implying that no extra licenses or setups are required for its activation. Upon successful exploitation, the intruder can fabricate an account with privilege level 15 on the compromised device, thus acquiring absolute control of the device and providing a foothold for further unauthorized activities.

Cisco's advisory to deactivate the HTTP server feature on systems, accessible via the Internet, is not just a best practice but also echoes the advisory guidelines previously provided by the U.S. government, emphasizing the risks associated with publicly accessible management interfaces.

The discovery of this vulnerability emerged from a collaborative effort between Cisco support centers and their security team. This collaboration identified unique indicators from a minuscule fraction of cases among the typically high daily case influx.

When this was published on October 17th, no proof-of-concept code was found to be publicly available for CVE-2023-20198. Given the severity of this vulnerability, adherence to the guidelines in Cisco's PSIRT advisory should be prioritized. Organizations, potentially impacted by this vulnerability, must promptly integrate the mitigation steps and perform retroactive sweeps to verify exploitation was not achieved.

Indicators of Compromise:

205.185.123[.]17

IP Address

162.33.177[.]204

IP Address

5.149.249[.]74

IP Address

154.53.56[.]231

IP Address

cisco_tac_admin

Username

cisco_support

Username

References:

[1] https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z
[2] Active exploitation of Cisco IOS XE Software Web Management User Interface vulnerability
[3] CVE-2023-20198: Zero-Day Vulnerability in Cisco IOS XE Exploited in the Wild
[4] Shodan Search
[5] https://www.cisa.gov/news-events/news/website-security
[6] https://vulncheck.com/blog/cisco-implants

View Most Recent Advisories